AfterDawn: Tech news

New TDSS rootkit infects 4.5 million PCs in 3 months, targets rival malware

Written by James Delahunty (Google+) @ 30 Jun 2011 1:12 User comments (35)

New TDSS rootkit infects 4.5 million PCs in 3 months, targets rival malware TDL-4 rootkit is another major upgrade to notorious TDSS family.
The TDSS rootkit family (also known as Alureon or TDL) is something of an admired worst enemy of security researchers and vendors of anti-virus products. They hide deep in the Windows operating system, using and manipulating low-level instructions to avoid detection by anti-virus suites, and using encryption to protect their communications with command and control servers.

The latest TDL-4 version of the family is used (like the others) as a stealth backdoor installer of malware, and it has some huge advantages over its predecessors. It can infect 64-bit versions of Windows now by bypassing the Windows kernel mode code signing policy, and it creates ad-hoc DHCP servers on networks giving it new propagation powers.

Another major step forward for the malware is the ability to use the Kademlia P2P network for communications. This helps to keep the rootkit stay alive if legal action in the real-world takes down command and control servers.

TDL-4 is also protective of its control over an infected PC, and does not want to share power. It has its own built in anti-malware abilities, finding and killing ZeuS, Gbot and Optima malware infestations on systems it compromises. It even blacklists addresses of command and control servers used by rival malware.

According to research from Kaspersky Labs, the formidable rootkit compromised 4.5 million PCs in the first three months of the year. Almost a third of those computers were in the United States, the most profitable targets.

Tags: Kaspersky TDSS
Previous Next  

35 user comments

130.6.2011 1:39

Yall are dumb, yall are so dumb.

230.6.2011 1:40

Unless it uses only the most frequently used commands, not the ones just sitting there to be exploited, it'll still get to my computer and just sit there unable to do anything.

330.6.2011 5:44

Don't you love windows? It blocks me from installing drivers, and lets non-user processes to do whatever they like.

Then again, this does clean more viruses than any of the M$ security suites...maybe they want it.



430.6.2011 11:32

That's pretty intense. I guess at that point you just have to reinstall.

530.6.2011 11:51

Originally posted by KillerBug:
Don't you love windows? It blocks me from installing drivers, and lets non-user processes to do whatever they like.

Then again, this does clean more viruses than any of the M$ security suites...maybe they want it.
These rootkits are installed by users with administrative privileges who are duped into installing them. Take a look at MacDefender, it did exactly the same thing. The big difference is the investment dollars for black hat software production aren't geared toward non-Windows systems. Not because Windows is less secure, it has more non-tech-savvy users and it dominates the PC market. If the same millions upon millions of dollars targeted Linux or Mac, you'd see the same results.


630.6.2011 12:02

How do y'all get viruses?
If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.

KB, Win7 has never stopped me from installing drivers or have had an access problem.
Again, most of the problems are the users fault. Not saying it's you. maybe you are running the Virus Vista on your computer?
Jeff

730.6.2011 12:07

Loser virus writing a**holes! Wastes of life and nothing but a drain on society.........just like rampant piraters that NEVER give ANYTHING back.

830.6.2011 14:05

Originally posted by Jeffrey_P:
How do y'all get viruses?
If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.

KB, Win7 has never stopped me from installing drivers or have had an access problem.
Again, most of the problems are the users fault. Not saying it's you. maybe you are running the Virus Vista on your computer?
Jeff
Well said JP

930.6.2011 18:40

Jeffrey_P: If there is a security hole in the OS that can be used to gain administrative privileges via a random port, and you are connected directly to the network with a public IP address, or NATed behind an also vulnerable firewall with open ports, you can be infected with malware that comes out today exploiting that hole. Or, even better, you get an e-Mail which exploits an Outlook flaw, even if you don't open any attachment.

So, let's say you notice it tomorrow, and you submit it immediately to your AV server, they create a vaccine in another 24 hours. Your internet neighbourhood, even if using your choice of AV, and updating defs once a day just like yourself, has been exposed for over three days, even if they didn't download any porn. It's not that simple. I tell you, and I'm a PARANOID administrator which caught a pretty bad nobodykit once on an up-to-date Debian server which had settled there by exploiting a flaw in Exim4. Not kidding. Cleaning it was really painful; it took me a whole afternoon, and, I insist, I'm a Linux admin with many years of experience.

The thing is, of course, that they are all a bunch of motherf*ckers which could use their knowledge for something useful, but, I must say it again, shame on humans. :(

This message has been edited since its posting. Latest edit was made on 30 Jun 2011 @ 18:45

"You know, it seems that quotes on the internet are becoming less and less reliable." -Abraham Lincoln.

1030.6.2011 19:06

Originally posted by dali:
Jeffrey_P: If there is a security hole in the OS that can be used to gain administrative privileges via a random port, and you are connected directly to the network with a public IP address, or NATed behind an also vulnerable firewall with open ports, you can be infected with malware that comes out today exploiting that hole. Or, even better, you get an e-Mail which exploits an Outlook flaw, even if you don't open any attachment.

So, let's say you notice it tomorrow, and you submit it immediately to your AV server, they create a vaccine in another 24 hours. Your internet neighbourhood, even if using your choice of AV, and updating defs once a day just like yourself, has been exposed for over three days, even if they didn't download any porn. It's not that simple. I tell you, and I'm a PARANOID administrator which caught a pretty bad nobodykit once on an up-to-date Debian server which had settled there by exploiting a flaw in Exim4. Not kidding. Cleaning it was really painful; it took me a whole afternoon, and, I insist, I'm a Linux admin with many years of experience.

The thing is, of course, that they are all a bunch of motherf*ckers which could use their knowledge for something useful, but, I must say it again, shame on humans. :(
Thanks for info on privileges.
I don't use Outlook in favor of Thunderbird.
Truth is, I don't use M$ for anything except for the OS and OS updates which seems to show up every Thursday.

That's what get we for an OS with the highest user base. Something Mac owners are now finding out because of Apples market share.

I run Puppy Linux a lot of the time. Finally a linux OS that Joe Sixpack can use.
Hell, I remember using Unix. Old as dirt by today's standard.

Also I run auto racing games under Windows. I'm not sure that Wine will run them but it's not worth the time trying to do a setup.
Jeff
This message has been edited since its posting. Latest edit was made on 30 Jun 2011 @ 21:27

Cars, Guitars & Radiation.

1130.6.2011 19:52

Originally posted by hearme0:
Loser virus writing a**holes! Wastes of life and nothing but a drain on society.........just like rampant piraters that NEVER give ANYTHING back.
Usually for people who write viruses this complex are in it for the (large sum of) money. While the writers can and, occasionally, do get caught most of the time security researchers (etc.) just try to take down the C&C centers the bot uses.

As for this new virus/rootkit, by using a P2P network for its communications the virus writers have made this virus that much harder to shut down.

"The only people who should buy Monster cable are people who light cigars with Benjamins." - Gizmodo

1230.6.2011 21:45

Do you mean DOS? Except for a very few games they will not run.
Besides all the hoopla you have to go through with all the condoms Game distributors use... Just not worth it.
The Amiga was a different story. The OS had a GUI + a CLI (Command line interface)
Perfect hackers machine.

I have to admit buddies would trade software when 9600 Baud modems ruled.
I regret doing it and probably was one of the death knell for the Amiga. Unlike today where $$$$$ are made.
Jeff

This message has been edited since its posting. Latest edit was made on 30 Jun 2011 @ 21:54

Cars, Guitars & Radiation.

131.7.2011 10:07

Originally posted by Jeffrey_P:
Do you mean DOS? Except for a very few games they will not run.
Besides all the hoopla you have to go through with all the condoms Game distributors use... Just not worth it.
The Amiga was a different story. The OS had a GUI + a CLI (Command line interface)
Perfect hackers machine.

I have to admit buddies would trade software when 9600 Baud modems ruled.
I regret doing it and probably was one of the death knell for the Amiga. Unlike today where $$$$$ are made.
Jeff

The Amiga Isn't quite dead yet, still development ongoing. still have my a1200 in my studio :) cant beat a bit of 8 / 14 bit emulated vocals :)
This message has been edited since its posting. Latest edit was made on 01 Jul 2011 @ 10:09

141.7.2011 10:22

Almost forgot about the 1200. Had one of those also.
The main reason I had to go PC is because developers jumped ship. Can you blame them? A bud from SLAC wrote communication software. It is a published document that can still be found on the SLAC/pub website. He dumped the Amiga and started work on BeOs apps;) He was the largest proponent for the Amiga you could ever meet.
No software, no customers.
I use a TASCAM 2488 for recording.
Jeff

This message has been edited since its posting. Latest edit was made on 01 Jul 2011 @ 10:26

Cars, Guitars & Radiation.

151.7.2011 11:55

Originally posted by Jeffrey_P:
How do y'all get viruses?
If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.
Jeff
I think you ought to look at this article: http://www.eweek.com/c/a/Security/11-Internet-Security-Myths-That-Delude-Computer-Users-114208/?kc=EWKNLNAV06292011STR1

Fact: Most malware comes from rogue "normal looking" websites or compromised legitimate sites.

Your viewpoint is the common misconception, not that I recommend surfing porn sites.

There's no justice; there's just us.

161.7.2011 12:05

I do most of mine computer based now with control surfaces, still have a roland vs880 tucked away as well as old tascam 4 tracks :))

Ah for the simplicity of the old octamed, soundstudio on pc is ok but hasnt got the feel

171.7.2011 12:09

Originally posted by ToadWiz:
Originally posted by Jeffrey_P:
How do y'all get viruses?
If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.
Jeff
I think you ought to look at this article: http://www.eweek.com/c/a/Security/11-Internet-Security-Myths-That-Delude-Computer-Users-114208/?kc=EWKNLNAV06292011STR1

Fact: Most malware comes from rogue "normal looking" websites or compromised legitimate sites.

Your viewpoint is the common misconception, not that I recommend surfing porn sites.
Are you stalking me?
Did you read my post or just pinpoint what raises your interest?
You are preaching to the choir.
Jeff
This message has been edited since its posting. Latest edit was made on 01 Jul 2011 @ 12:12

Cars, Guitars & Radiation.

181.7.2011 13:04

Trust me, you aren't important enough to stalk. I am just aware of the MISCONCEPTION that adult web sites are the major distributor of infections, and it doesn't serve the community to confirm that myth.


There's no justice; there's just us.

191.7.2011 13:32

What's with the nic? Do you have warts?
Jeff

201.7.2011 13:38

Toad was my nic from school ... more than 40 years ago. Unfortunately, someone beat me to it, so I had to mod it a bit. No warts.


There's no justice; there's just us.

211.7.2011 13:48

Ok man understood.
Are you Hammer Head?
Jeff

222.7.2011 2:25

I have seen many of my friends and neighbors get infections who never visit porn sites, and most porn sites who are huge money makers believe it or do a pretty good job at policing themselves, they are not stupid.

Sure you will get adware and spyware and all kinds of bloaded crap from them, but viruses? not that often, actually rare.

232.7.2011 8:03

so, i have kaspersky installed, and consider myself knowledgeable but with this article i fail to see the point? it just puts the frighteners up you for no apparent reason, with no apparent remedy.i also cannot believe that this type of virus just downloads and installs itself without me knowing. enlighten me on this one as i have a well old dell with 500mb ram and 40gig hard drive and the original graphics card. in other words, you can't get slower than this, so i would notice an extra spider game being run let alone a malicious virus being fitted,


heinekabimbam

242.7.2011 9:15

Originally posted by Jeffrey_P:
Ok man understood.
Are you Hammer Head?
Jeff
Is this some kind of insult? I don't know what or who Hammer Head is.

There's no justice; there's just us.

252.7.2011 9:24

No there is another thread where I insulted you. You do know how to use the search function do you not?
Newbie eh?
Shit disturber sums it up better.

262.7.2011 9:32

Originally posted by earache:
so, i have kaspersky installed, and consider myself knowledgeable but with this article i fail to see the point?
Earache, the link I posted above busts some of the myths that have been going around. Perhaps not so much myths as just the way it was 10 years or more ago. The malware scene, except for script kiddies and 56 year-old dweebs living in their mother's basement, is highly organized. Bot herders get paid up to $2 per machine in their herd, and those are used for sending spam, transferring pirated software, participating in network attacks (like DDOS), and stealing personal information for ID theft.

No matter what else you personally care about, being aware that your identity is a commodity that is highly sought after is worth knowing. I've been a victim of ID theft twice, and I'm quite competent at computer security. I'm a Linux/Unix system administrator for a government contractor.

The point of the original article is to be aware. Perhaps you don't have the skill to defeat every hacker out there - I don't. But I can be aware they they would like to hack my machines and steal my identity, my money from my bank accounts, proprietary information (assuming I was actually stupid enough to store it on my personal computer), and so on.

Consider the situation like Tombstone, Arizona, circa 1881. You don't have to be a gunfighter to walk the streets, but it doesn't hurt to be aware of gunfighters and defend yourself as best you can.

There's no justice; there's just us.

272.7.2011 9:36

Originally posted by Jeffrey_P:
No there is another thread where I insulted you. You do know how to use the search function do you not?
Newbie eh?
Shit disturber sums it up better.
Yes, I agree with that. A lot of what you personally put out is SHIT, and I have no problem with correcting it for you.

Yes, I know how to use the search function, but that assumes I find your posts interesting enough to be worth searching for whatever crap you are spewing.

As far as whether I'm a newbie or not, I think the relative quality of our posts says everything that needs to be said.
This message has been edited since its posting. Latest edit was made on 02 Jul 2011 @ 9:37

There's no justice; there's just us.

282.7.2011 9:52

"There's no justice; there's just us."
You are quoting Richard Pryor. Give credit where credit is due.

Did you take the, "How American are you" test?
I answered all 20 questions correctly. A little crazy since most people do not take very much American history these days.
Here:http://www.azcentral.com/news/articles/2011/06/27/20110627history-quiz-July-4-slideshow-prog.html
See ya!
Jeff

292.7.2011 10:23

Originally posted by Jeffrey_P:
"There's no justice; there's just us."
You are quoting Richard Pryor. Give credit where credit is due.

Did you take the, "How American are you" test?
I answered all 20 questions correctly. A little crazy since most people do not take very much American history these days.
Here:http://www.azcentral.com/news/articles/2011/06/27/20110627history-quiz-July-4-slideshow-prog.html
See ya!
Jeff
Jeffie, you need to get a better search engine. The ORIGINAL quote is from 3000AD magazine and appeared about 40 years ago.

Ordinarily I wouldn't, but just for the humor ... 20 out of 20. Rarely have I seen a simpler test. Must be dumbed down for modern society ... including people who think that math that doesn't agree with their political viewpoint is clearly in error.

There's no justice; there's just us.

302.7.2011 10:42

I did not use a search engine. I do remember Pryor saying that quote. Guess you had to use a search engine for a frame of reference.

The point of the test was to test your basic knowledge of American history.
I doubt many people could pass it without reviewing things first.
You seem to read into things that aren't there Toadwizy.
Jeff

312.7.2011 12:13
ithjay
Unverified new user

jeff and toad, you guys are funny. you should develop a blog where you two just argue back and forth intellectually XD

322.7.2011 12:23

You are right.. Actually I'm done with him. It is a little funny and amusing.
You can't argue with a brick wall.
Jeff

332.7.2011 12:40

Originally posted by ithjay:
jeff and toad, you guys are funny. you should develop a blog where you two just argue back and forth intellectually XD
Appreciate the thought, but only half of the argument would be intellectual.

There's no justice; there's just us.

342.7.2011 12:46

Originally posted by Jeffrey_P:
You are right.. Actually Im done with him. It is a little funny and amusing.
You cant argue with a brick wall.
Jeff

Buddha once sat in front of a brick wall and came away enlightened ... but then I'm not Buddha, and Buddha might have committed suicide if he sat in front of you. Fortunately, it was amusing, or I wouldn't have had so much fun doing it.
This message has been edited since its posting. Latest edit was made on 02 Jul 2011 @ 12:46

There's no justice; there's just us.

352.7.2011 16:28

THE SKY'S FALLING!
THE SKY'S FALLING!

WE'RE ALL DOOMED!

It's probably spread by this site.

This message has been edited since its posting. Latest edit was made on 02 Jul 2011 @ 16:29

Comments have been disabled for this article.

News archive